SQL Injection in Duplicate-Page WordPress Plugin

While investigating the Duplicate Page plugin we have discovered a dangerous SQL Injection vulnerability.

It was not being abused externally and impacts over 800,000 sites. It’s urgency is defined by the associated DREAD score that looks at damage, reproducibility, exploitability, affected users, and discoverability.

A key contributor to the criticality of this vulnerability is that it’s exploitable by any users with an account on the vulnerable site (regardless of the privileges they have – e.g., subscribers) and is easy to exploit.